This is a talk given by Jacob Appelbaum, a computer security expert from the University of Washington & a friend of Julian Assange. He has some pretty startling things to say about the state of computer/smart phone surveillance. Maybe my computer illiteracy makes all this stuff sound much more intimidating than it is, but it doesn't feel like that.

In any case, I'd love to hear from the more technologically-inclined SFF'ers on this. 1) what you think about the video, & 2) if you could point me in the direction of a worthwhile 'Idiot's Guide to Computers/the Internet.' I'm sure there are plenty out there; but if anyone knows of 1 or 2 in particular that stand out from the rest, I'd like to know about them.

<object><param><param><param>

Wed May 30, 2012 1:06 pm

jakethesnakeguy who cried about wrestling being real

Joined: 03 Feb 2006
Posts: 6311
Location: airstrip one

I can't recall if I posted here, but I definitely put it up on FB. I had an article recently that talked about the same things. The gist of it was, there's a few dozen "locations" (ISP's, Telecommunication companies, etc.) that have these super computer servers set up (that this Jacob guy is talking about) that can be used at any time, manually or automatically, for monitoring all of your internet data.

Police nowadays frequently use these "services" for warrant-less tracking, etc. Everyone willingly has a tracking device with a GPS on it. Some of these things have benefits, like if you get lost in the woods they can find you pretty easily if your phone is on. It can also be used against you, since every purchase you make can be tracked, your phone calls, internet websites you've visited, etc.

Read up on the NSA/government employee towns that have sprung up in Virginia/Maryland since 9/11.

An article came out last week showing that people associated with Occupy are being monitored.

This is a good talk, gathering together a lot of old news about real issues.

Consolidated power bases employing technology experts have a huge tactical advantage over any given activist. This is true regardless of whether the consolidated power base is a superpower government's law enforcement and intelligence agencies or, for example, a publicity agency employed by a Fortune 500 company paying some Russian bot herder to shit up Knowmore's article on the company with spam that just "happens" to wipe out text which was critical of the company.

Appelbaum is basically talking about two interlocking issues:
1. Correlation of communication data can reveal surprisingly large amounts of information about people. The same networks (Twitter, Facebook, etc) that are so empowering for activist organizations also expose huge amounts of information about those activist organizations.
2. Ubiquitous internetworking and computing, especially in the context of mobile phone networks, has produced a status quo rife with opportunities for exploitation and abuse by any entity with centralized power.

The first issue is part of a vast sea change in our society, and is way bigger than the issues Appelbaum is talking about here. He's asking a lot of questions about how this data ubiquity allows an authoritarian government to threaten our essential freedoms, but he's not asking the questions about how this data ubiquity allows corporate power to threaten those same freedoms, or how it allows people to threaten and harass each other. We're working our way collectively through a slow process of deciding how much of this social graph data is appropriate to generate and store, and it remains to be seen whether we are going to scale back from the level of sharing we have today in 2012 or whether we are going to simply move our expectations about privacy to tolerate more than we currently tolerate.

The second issue is a technology problem: Most of us are using computers and phones that we didn't build, running software we don't know whether or not we can trust to be tampered with, and we are connecting those devices to networks that are outside of our control and are being managed by entities who are not working to protect our interests.

Basically, at some point we're going to have phones that we can snap together from widely available cheap parts, and operate using cryptographically verifiable software that's freely available on the Internet. These phones are going to prefer to talk to each other than to talk to cellphone towers, and are going to prefer to use VoIP networking and something like Tor (an onion router) to enable voice-to-voice communication instead of the legacy telephone network. We will be able to trust our devices because it will be easier to assemble a new one from shrinkwrapped parts than it will be to carry a phone through a border check and then scrub it for bugs afterward. We will be able to trust the software on our devices for similar reasons. Our identities will follow us from clean device to clean device because the networks we use will assume that's what is supposed to happen. The centralized attacks on our communications will be crippled by this new reality.

Whether people will actually use these systems is a less clear thing. Tens of millions of people use iPhones and most of those people just straight-up don't care whether they're wiretapped or not, as long as the wiretapping doesn't personally inconvenience them ala identity theft. The solutions that the corner case people care about are only available if you can get a significant fraction of those indifferent iPhone people to go with something that doesn't work as well for them. Not all of these problems are going to be solved.

Things like encryption of email are harder problem. Direct user-to-user communication is ephemeral, and The Wire tells us that most conspiracies rely on it. The challenge is catching the communication in transit, and if you fail to do so you lose. With stored communication mechanisms like email, Facebook, Twitter, etc.--as well as any store-and-forward systems that might emerge--there are an order of magnitude more angles of attack to follow.

For example: Appelbaum mentioned, late in the first video, mixmaster email servers being confiscated by the FBI because someone used them to send bomb threats. What he failed to mention is that if the use of these systems to send bomb threats is a justifiable reason to shut them down, then all the FBI has to do to shut down legitimate traffic on this system is send bomb threats through it.

Appelbaum is ultimately arguing that we need a set of widely-adopted best practices which make it harder for these vulnerabilities to exist. The biggest best practice he's arguing for is security consciousness: people educating themselves to these issues and committing to factor those issues into the decisions they make, not even for their own security needs but for the security needs of others.

This is where the technology problem interlocks back with the first issue (the ubiquity of big data): It's not a given that everyone is going to care about security the way he argues we should begin to care about security. We may very well see a social shift where the legal phrase "no expectation of privacy" becomes a social reality, and that people see this as a good thing because of the beneficial feature set that we get in exchange.

The Conversation is a really good movie, and I think it's a cautionary tale about what your life can start to be like if you go too far down that road. Blissful ignorance is a better choice for a lot of people... until we have a Stasi-esque police state of the kind he keeps darkly alluding to.

Political activism is required to push back against that possible outcome. Terrible things can happen to you if you're caught running Tor and encrypted VoIP software inside China. Most of the tools he's talking about here don't help you once you're in a country (or company) that has already bought, stolen, or intimidated its way into a perceived right to punish you for using the tools in the first place.

I have no particular reading recommendations to offer; it's perhaps worth keeping in mind as you read my response that I am employed by a company that operates some of the red dots in those network graphs the TED video showed.

Mark - The 'free software movement' is a pretty fascinating thing. I'm definitely interested in Tor, too. Would you recommend its use? What are its pros & cons?

I just read an article today about how governments are increasingly relying on data from sites like Facebook instead of doing their own surveillance work: http://usvjones.com/2012/06/02/three-fixes-for-the-fourth-amendment-after-jones/. Reminds me of a friend of mine who said, when we were discussing Occupy recently, 'By having open meetings & an open e-mail list-serv, we're pretty much conducting surveillance on ourselves.'

Jake - I just clicked on the EFF (Electronic Frontier Foundation, for those who aren't familiar) link you posted, & a screen popped up saying 'This site's security certificate is not to be trusted!' haha.

But I chose to proceed anyway. Because I'm a rebel without a clue when it comes to computers.

Sat Jun 02, 2012 5:34 pm

Mark in Minnesota

Joined: 02 Jan 2004
Posts: 2053
Location: Saint Louis Park, MN

There are a variety of reasons why one might want to use Tor, including but not limited to:
1. To hide clandestine Internet activity from interested parties.
2. To become an endpoint that others might use to hide clandestine Internet activity from interested parties--a kind of "passive activism."
3. To learn more about the technology, possibly as a means of preparation for future clandestine Internet work.
4. To troubleshoot, looking for various Internet behaviors that might indicate things like ISP-level traffic filtering, the presence of malware on local systems, or other man-in-the-middle style malfeasance.

The cons of using it include, but are not limited to:
1. Creating the appearance of clandestine Internet activity, possibly subjecting yourself or your Internet provider to additional scrutiny.
2. Time and opportunity cost from maintaining--and learning to maintain--Tor presence on your systems and networks instead of doing other things.
3. Degraded Internet performance from encryption overhead, additional network hops, etc.

I don't personally use Tor. As an IT professional I oppose its use within my employer's networks, and on systems which are my employer's property.

On the other hand, I'm a huge fan of the technology in principle, and of the stated goals of the people that have designed Tor and promote its global use.

The whole point of those Jacob Appelbaum videos is that we should educate ourselves to these things and then make those decisions for ourselves for the right reasons. I can't recommend that you use Tor because I don't know what your goals and priorities are.

Put simply: Those who are not prepared to become experts in these issues should be prepared to employ experts to make these decisions for them. Anyone who is not prepared to employ experts should understand who makes the decisions by default.

I'm allowing Google, Facebook, Apple, Verizon, and Comcast to make a lot of those decisions for me in my private life--but on the other hand I'm not involved in some Occupy-esque movement where I might have reasonable concern that my technology decisions will allow these companies (or authority agencies that these companies cooperate with as a matter of practice) to interfere with my strategic interests.

Increasingly, activist organizations need to be seeking out the equivalent of a CIO and CSO, someone who is responsible for understanding the priorities of the organization and helping to translate those priorities into appropriate security best practices. Having these kinds of people associated with a movement is just as important as having attorneys on retainer, etc.

If you have good reason to be concerned about surveillance by outside parties (legal, extralegal, or outright criminal) you should be seeking an advisory relationship with security experts. This is no different than the way you should be seeking an advisory relationship with legal experts if you have good reason to be concerned about lawsuits or arrests.

Appelbaum's argument is that we all have good reason to be concerned about that surveillance. He has a secondary argument that even those of us who have decided not to be concerned about those matters should still alter our best practices (stop using Facebook and Google; use text normalizing tools like "Anonymouth" to make others' attempts to foil stylometry attacks more effective, etc) because network effects matter.

I tend not to agree with him on that point, at least as relates to me personally; I feel like exposing myself to the commercial interests of these organization has given me access to more innovative technologies than I would otherwise have access to, and that these technologies are a net positive for my life. The same network effects that make non-technical activists easier to screw with as a negative effect also have positive effects, and I try to position myself to benefit from those, fully realizing that doing so helps certain forms of evil to prevail.

You need to make your own decision about your own life. Everyone does.

The only way to get around it is internet abstinence. Keep your legs closed!

Sun Jun 10, 2012 8:29 pm

anomalyLoserface

Joined: 22 May 2008
Posts: 2625
Location: DFW, TX

And don't buy deer meat from strangers.

Sun Jun 10, 2012 9:33 pm

Captiv8

Joined: 25 Aug 2006
Posts: 8546
Location: Third Coast

I think it's foolish to believe the government isn't monitoring everything we do on computers. Remaining anonymous is becoming more and more difficult. The best way to browse inconspicuously is at a library. Then again, checking an e-mail tips off your identity right quick. It's a mad world out there, indeed. I wish I was a bit more savvy about computers.

Mon Jun 11, 2012 6:12 am

jakethesnakeguy who cried about wrestling being real

Joined: 03 Feb 2006
Posts: 6311
Location: airstrip one

Alan Hague wrote: Thanks for all the additional info; I've got plenty of reading to do.

Mark - The 'free software movement' is a pretty fascinating thing. I'm definitely interested in Tor, too. Would you recommend its use? What are its pros & cons?

I just read an article today about how governments are increasingly relying on data from sites like Facebook instead of doing their own surveillance work: http://usvjones.com/2012/06/02/three-fixes-for-the-fourth-amendment-after-jones/. Reminds me of a friend of mine who said, when we were discussing Occupy recently, 'By having open meetings & an open e-mail list-serv, we're pretty much conducting surveillance on ourselves.'

Jake - I just clicked on the EFF (Electronic Frontier Foundation, for those who aren't familiar) link you posted, & a screen popped up saying 'This site's security certificate is not to be trusted!' haha.

But I chose to proceed anyway. Because I'm a rebel without a clue when it comes to computers.

Looks like the ssd.eff.org site has a different certificate than the eff.org main page itself. I'm not sure why they did that, but that's probably what threw the warning. However, eff does have a valid cert.